" hipaa Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘hipaa’

If my web site is very simple, do I have to worry about HIPAA compliance?

Friday, March 24th, 2017

We received this questions via Ask Erik from a Physicians’ Association:

“Our company website does not contain any patient information.  As a healthcare group, do we need to worry about HIPAA compliance for our site? It contains forms, news and some company polices and procedures but no patient information whatsoever. Thank you.”

Thank you for your question!  Here, we delve into how you can answer this for your site.

 

Read the rest of this post »

How To Encourage Patient Consent To Email Marketing Without Feeling Slimy

Monday, March 20th, 2017

If email marketing is known to produce results across a variety of industries, why do some professionals feel uncomfortable with it?  Why do they feel “slimy”?  It is not uncommon for people to feel hesitant to engage in email marketing because it somehow feels “wrong” to them.    There are several factors at play in this limiting belief; in this article, we shall shed light on them to help dispel this feeling so that you can confidently get to work and grow your business, knowing that you are actually helping others.

Email Marketing

Read the rest of this post »

WordPress Security Overview: Can WordPress be HIPAA-compliant?

Monday, March 13th, 2017

WordPress is a content management system that dominates the internet, powering more than 24% of the web. Although it has many great features that make it quick and easy to set up, the complications associated with HIPAA standards can make it difficult to achieve compliance. WordPress has recovered from a checkered past as far as security is concerned, but it is still a third party tool which is not specifically designed to conform to HIPAA standards.

WordPress Security

Read the rest of this post »

17 Questions To Ask Yourself Before You Send A HIPAA-Compliant Marketing Email

Friday, March 10th, 2017

You’ve just been told that you need to rethink your entire email marketing system. Your attorney and compliance specialist are both telling that you need implement HIPAA-compliant email marketing.

Your starting point is to break down that goal into two components: business goals and HIPAA compliance. Your email marketing has to achieve your business goals like providing fast customer service and generating more appointments. Next, you need to put HIPAA compliant systems and processes in place.

Use these 17 questions to review your email marketing aligns with your business goals and HIPPA.

HIPAA-compliant email marketing

Read the rest of this post »

Why Are Hackers Targeting Your Medical Records?

Thursday, March 2nd, 2017

Medical record theft is booming. Over the past few years, large scale breaches have become more common and increasingly severe. Last year in June, a hacker named thedarkoverlord was selling 650,000 US healthcare records as part of a long-running crime spree. The collection was listed on a deep web marketplace called the Real Deal for over $700,000 worth of Bitcoin.

A cancer treatment provider called 21st Century Oncology had 2.2 million patients records compromised in late 2015. The stolen data included patient names, the names of their doctors, social security numbers, insurance information, diagnoses and treatments. The company was required to notify all of the affected patients and they have also offered free credit protection for one year as partial compensation. 

This is just the tip of the iceberg. According to Bitglass, 113 million Americans were affected by healthcare data breaches in 2015. This is almost 10 times more than the previous year. The IDC’s Health Insights group predicted that one in three patients would be the victim of a breach in 2016. This trend is likely to continue or even intensify over the coming years.

Read the rest of this post »

eBook: HIPAA-compliant Website Basics

Monday, February 27th, 2017

What healthcare organizations need to know about HIPAA-compliant web sites

Book 2 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

This LuxSci eBook is your well-researched guide to both a critical understanding of the specific issues and concepts of HIPAA as it applies to web sites, so that you stay compliant with these government standards. This document will provide a framework for your health care organization to keep the privacy of patient information front and center while still having an engaging web presence. Providers will have the necessary tools to meet all requirements established by HIPAA for access to, storage of, and transmission of protected health information (PHI) through web sites.

This eBook includes sections on:

  1. Introduction
  2. What are HIPAA-compliant web sites?
  3. HIPAA-compliance for WordPress
  4. What is HIPAA-compliant web site hosting?
  5. Components of a solid web site hosting infrastructure
  6. Finding a HIPAA-compliant provider
  7. What are HIPAA-compliant web forms?
  8. Informing developers of HIPAA requirements
  9. Conclusion

Download the eBook

What is HIPAA-compliant Email Marketing?

Monday, February 27th, 2017

To achieve HIPPA-compliant email marketing, you need to satisfy two objectives. First, you need to understand the fundamentals of email marketing. Second, you need to execute your email marketing activities within HIPPA’s requirements and restrictions.

HIPAA-compliant email marketing

It’s easy to make a mistake with HIPAA-compliant email marketing, especially when you’re in a rush.

Picture this:

You leave your clinic early on a Thursday afternoon to head off on a vacation. Before you go, you ask your office manager to send off an email blast. You were just certified on a new procedure and you know at least 200 patients in your files would likely benefit from it. A simple message inviting them to the office for a consultation next week is the perfect next step. Your office manager takes some quick notes and promises to send off the note tomorrow. And off you go for a weekend of golf at Pebble Beach.

On your way home, you check your email. You see an angry email from a patient and start reading. It turns out that you’ve violated some arcane HIPAA rules… Even worse, that patient’s sister is an attorney who has promised to call you tomorrow. You’re pretty sure you’ve done nothing wrong but you’re nervous on the flight home.

This situation could have been prevented if your office manager had asked you one simple question:

Read the rest of this post »

Is sharing my patient list with a marketing company OK under HIPAA?

Saturday, February 11th, 2017

We received this questions via Ask Erik from the head of a Dental Practice (who wished to remain anonymous):

“I want to create a Refer-a-Friend program, for a dental practice, that will be managed by a third party marketing agency.  The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.

Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:

* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)

* Because my PHI is de-identified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?

* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?

NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.

Also, on the mail list for the Refer-a-Friend marketing program, there will be names other than patients, probably about 5% are not patients. Does this influence the phi/non-phi question?

This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.

If a mailing list, for a dentist, that contains 95% patients and 5% non-patients, and NO health information (just names and addresses)… is it considered PHI?”

Read the rest of this post »

Am I at HIPAA-risk if a patient replies to my secure email message?

Tuesday, January 31st, 2017

Here is a question from “Ask Erik:”

Dear Dr. Kangas,  When I write an email to a patient from my LuxSci account, it is encrypted and therefore HIPPA compliant.  When they write me back from their regular email address (it’s often hard to get them to sign up at LuxSci), they are putting [PHI /Medical Information] out without security, but that is not my HIPPA violation as I understand it because patients are not required to keep their PHI secure.  Yet often a patient replying to my email simply hits ‘reply’ and my email is attached to their reply, putting my original email in an insecure from on the Internet.  Does that become therefore a HIPPA violation of mine, especially if I continue to allow this without telling the patient to stop doing this?

Read the rest of this post »

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »